1
00:00:00,000 --> 00:00:14,720
This is Hacker Public Radio episode 3,888 for Wednesday, the 28th of June 2023.

2
00:00:14,720 --> 00:00:20,560
Today's show is entitled, he passed XC recent CVE.

3
00:00:20,560 --> 00:00:25,720
It is hosted by some guy on the internet and is about 10 minutes long.

4
00:00:25,720 --> 00:00:28,320
It carries a clean flag.

5
00:00:28,320 --> 00:00:35,040
The summary is, some guy on the internet talks about Kepass XC's security model and

6
00:00:35,040 --> 00:00:41,120
a recent CVE.

7
00:00:41,120 --> 00:00:46,440
Hello and welcome to another episode of Hacker Public Radio, I'm your host, some guy on the

8
00:00:46,440 --> 00:00:47,440
internet.

9
00:00:47,440 --> 00:00:55,440
Today we're going to be talking about Kepass XC, so on June 20th, 2023, Jonathan White posted

10
00:00:55,440 --> 00:01:08,400
on a Kepass XC blog about an alleged vulnerability dubbed CVE Charlie Vector Echo 2023-3586.

11
00:01:08,400 --> 00:01:16,240
This is centered around Kepass XC version 2.75, a user submitted this CVE suggesting

12
00:01:16,240 --> 00:01:24,800
that there is a flaw in Kepass XC version 2.75 and they classify it as a vulnerability

13
00:01:24,800 --> 00:01:32,480
suggesting that the Password, the offline Password Manager does not offer online to factor

14
00:01:32,480 --> 00:01:43,480
authentication during changes to the database, such as exporting passwords into clear text.

15
00:01:43,480 --> 00:01:52,560
If you want to export your entire database to plain text or HTML, the user wanted it to prompt

16
00:01:52,640 --> 00:01:58,960
you for the Master Password before exporting the Passwords to plain text.

17
00:01:58,960 --> 00:02:06,000
The user also mentioned that the Password Manager does not prompt you for authentication whenever

18
00:02:06,000 --> 00:02:14,400
you do things like registering a UBK, a hardworking, so the user filed this CVE's suggesting

19
00:02:14,400 --> 00:02:22,400
that this lack of second authentication for the offline Password Manager will use the user

20
00:02:22,400 --> 00:02:27,200
vulnerable. Now I'm just going to go ahead and tell you right now, I'm siding with the Kepass

21
00:02:27,200 --> 00:02:34,880
XC development team. This is not a vulnerability and I believe that yes, the user is confusing

22
00:02:34,880 --> 00:02:42,960
the Kepass XC security model when comparing it against online Password Managers that have to authenticate

23
00:02:42,960 --> 00:02:48,640
through the wire. There's been discussions on the blog I'll have links down in the show notes.

24
00:02:48,720 --> 00:02:53,920
Other users have brought up some, you know, I guess these are members of the Kepass XC team.

25
00:02:53,920 --> 00:03:01,440
They've been mentioning things like, you know, if an attacker has access to your unlocked database,

26
00:03:01,440 --> 00:03:09,360
you have already lost. And I believe that wholeheartedly, if you leave your Kepass XC database

27
00:03:09,360 --> 00:03:16,880
unlocked for an attacker to simply have full-fettered, unfettered access, there is nothing that could

28
00:03:16,880 --> 00:03:23,360
stop them from screenshotting, just, you know, using their phone, using the no pad, taking pictures,

29
00:03:23,360 --> 00:03:30,160
whatever. So you lost, you just need to lock your database when you're not using it. And they offer

30
00:03:30,560 --> 00:03:37,920
the Kepass XC development team offers some suggestions, you know, setting up the, the expiration

31
00:03:37,920 --> 00:03:43,840
timer on your database. So if it's inactive for, let's say five minutes, it'll automatically lock

32
00:03:43,920 --> 00:03:51,920
the database protecting you. Now, the user also pointed out that they believed the user was made

33
00:03:51,920 --> 00:04:00,720
vulnerable to the database being locked by the attacker, which would, in result, lock the owner

34
00:04:00,720 --> 00:04:09,680
out of their own password manager. So in example, would be that the attacker approach the computer

35
00:04:09,760 --> 00:04:16,000
with the unlocked database registers a UB key, and then lock the original owner out because now the

36
00:04:16,000 --> 00:04:22,800
original owner does not have the UB key to unlock the database. Kepass XC may clear that that's not

37
00:04:22,800 --> 00:04:27,280
something to worry about because if they wanted to just lock you out, they could just corrupt your

38
00:04:27,280 --> 00:04:31,840
database. Right? If that's all they were trying to do is just lock you out. They would corrupt your

39
00:04:31,840 --> 00:04:37,840
database boom. Now you no longer have access to it because it's corrupted. And we all know that back

40
00:04:38,720 --> 00:04:44,000
backups, backups, backups, or the solution for things like this because I mean, after all,

41
00:04:44,000 --> 00:04:49,920
sometimes hard drives, you know, I'm not going to go into all of that, but either way, this is not

42
00:04:49,920 --> 00:04:56,960
a vulnerability, but it will be brought up in a press as some, you know, some massive vulnerability that's

43
00:04:56,960 --> 00:05:03,200
going to leave you vulnerable to all sorts of attacks across the world. And I want to give my two

44
00:05:03,200 --> 00:05:12,240
cents on it before it got a little too wide spread. So Kepass XC version 2.7.5 is very safe to use.

45
00:05:12,240 --> 00:05:18,240
It's a local offline password manager. So you don't have to worry about these additional steps of

46
00:05:18,240 --> 00:05:23,520
authenticate, you know, real authenticating. Once you've unlocked your database, you understand,

47
00:05:23,520 --> 00:05:28,800
if you're following decent practices, the reasonable ones that have been mentioned in the past by

48
00:05:28,800 --> 00:05:36,320
me and others, and Kepass XC also has information on their website that can further assist you with

49
00:05:36,320 --> 00:05:41,520
how to manage your database and the safe practice. You got nothing to worry about. They also mentioned

50
00:05:41,520 --> 00:05:49,440
that they're petitioning against this CVE because it's not a vulnerability, you know, it's a user that

51
00:05:49,920 --> 00:05:54,640
got a little confused about the security model and things things got out of hand.

52
00:05:54,640 --> 00:05:59,520
Alright, so let's talk about security theater. I just learned this term while going over

53
00:05:59,520 --> 00:06:05,280
this whole article from Kepass XC. I'm going to take a song over to Wikipedia,

54
00:06:05,280 --> 00:06:14,960
where we have a CCBYSA4.0 article that we can use. Wikipedia tells us that security theater is an

55
00:06:14,960 --> 00:06:24,320
unsafe practice. It only gives the user the illusion of security with unnecessary security practices.

56
00:06:24,400 --> 00:06:30,400
Such as prompting you over and over and over again for a password on an offline password manager

57
00:06:30,400 --> 00:06:37,600
that kind of thing. Where some users may feel like this is a benefit. The reality is it's so

58
00:06:37,600 --> 00:06:43,920
minuscule if any benefit is provided through this practice. Overall what it's going to do is

59
00:06:43,920 --> 00:06:52,160
it's going to convince people not to use security at all to avoid this constant prompting, right?

60
00:06:52,240 --> 00:06:56,640
In other words, turning off the whole pass, we're prompting just because it's annoying. It gets

61
00:06:56,640 --> 00:07:02,960
in the way. I'm going to start including this once I get set up to reboot the ONO news again.

62
00:07:02,960 --> 00:07:07,440
I'm going to make sure I include this in the additional information section of the show.

63
00:07:07,440 --> 00:07:13,840
They give some great examples here on the page as well, such as confiscating water bottles,

64
00:07:13,840 --> 00:07:19,280
but then allow you to buy bottled water. That's something you've experienced if you've ever been to

65
00:07:20,240 --> 00:07:25,280
certain airports may do it. Don't let you bring your own bottled water in or whatever,

66
00:07:25,280 --> 00:07:29,840
but you can buy bottled water once you get in. But I think the airports will allow you to

67
00:07:29,840 --> 00:07:34,400
bring a thermostat. It's so long as it's empty when you bring it in and then you fill it up at

68
00:07:34,400 --> 00:07:40,240
like a water fountain or something like that. I'd also like to put the question out to the community.

69
00:07:40,240 --> 00:07:48,560
Do you guys find this to be a helpful feature? If you use key pass XC, do you find it to be helpful

70
00:07:48,560 --> 00:07:54,720
at all for you to be constantly prompt for your password after you've unlocked your password

71
00:07:54,720 --> 00:08:01,520
manager and begin using it? So whenever you want to add a new entry into your password manager

72
00:08:01,520 --> 00:08:07,040
or change an entry in your password manager, do you want to be prompted over and over again

73
00:08:07,040 --> 00:08:13,280
because you're making changes to the database or if you were exporting, right? Say for instance,

74
00:08:13,280 --> 00:08:19,600
you're going to create a new database so that you can export some of your credentials from your

75
00:08:19,600 --> 00:08:27,280
personal database over to this new one because maybe you're going into a work environment where

76
00:08:27,280 --> 00:08:33,440
you don't want to have all your credentials unlocked, only the necessary ones for that environment.

77
00:08:33,440 --> 00:08:39,920
So you export the necessary ones into a separate database that you can bring with you on like

78
00:08:40,720 --> 00:08:45,680
a thumb drive. Do you think it's necessary to prompt you whenever you're making changes,

79
00:08:45,680 --> 00:08:50,560
even though you've already authenticated? Personally, I don't, I don't think it's necessary.

80
00:08:50,560 --> 00:08:56,080
I think we all have to take a certain level of responsibility. You know, we have to own our own

81
00:08:56,080 --> 00:09:03,360
security and be responsible when using these technologies. I don't need key pass XC to hold my hand

82
00:09:03,360 --> 00:09:08,480
as I'm using this password manager. They've done enough in creating it and making it

83
00:09:08,480 --> 00:09:13,520
superb in my opinion. I don't need them looking over my shoulder, constantly going, hey, are you sure

84
00:09:13,520 --> 00:09:17,760
you need to do that? Are you sure you need? You know, it just gets annoying in my opinion.

85
00:09:17,760 --> 00:09:21,600
But what do you think? You want to be prompted over and over again? Do you think the props are

86
00:09:21,600 --> 00:09:27,600
necessary? Do you think the props for helping new users be more security minded or anything

87
00:09:27,600 --> 00:09:33,920
of that nature? What do you think? I'll tell you what though. Keep as XC may want to take some time

88
00:09:34,400 --> 00:09:43,040
and better explain how their technology is intended to be used. I think that would be an excellent

89
00:09:43,040 --> 00:09:49,360
step forward because if people are going to make the comparison in this technology and offline

90
00:09:49,360 --> 00:09:55,280
password manager, again, something like an online password manager, it's best to have it made

91
00:09:55,280 --> 00:10:02,160
abundantly clear. Yes, they serve the same purpose, but they operate differently and offer some

92
00:10:02,160 --> 00:10:09,760
detail as to why you are not necessarily prompted for every single action. Whereas in an online

93
00:10:09,760 --> 00:10:15,920
password manager, you may need to be prompted simply because someone else is managing your secrets.

94
00:10:16,800 --> 00:10:23,520
That's enough rambling for me on this episode. I just wanted to get in here and do a quick show

95
00:10:23,520 --> 00:10:28,400
on keypass XC and the latest news. I'll catch you guys in the next episode.

96
00:10:29,120 --> 00:10:37,440
You have been listening to Hecker Public Radio at Hecker Public Radio.org. Today's show was

97
00:10:37,440 --> 00:10:43,440
contributed by a HBR listening like yourself. If you ever thought of recording podcast,

98
00:10:43,440 --> 00:10:51,040
click on our contributally to find out how easy it means. Posting for HBR has been kindly provided

99
00:10:51,040 --> 00:10:58,240
by an onsthost.com, the internet archive and our synced.net. On this otherwise stages,

100
00:10:58,240 --> 00:11:08,960
today's show is released on our creative comments, attribution, 4.0 international license.